[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HOKEY] WGLC comments for preauth document
Charles,
Thank you very much for your review. I agree with all of your commments.
Here is a list of action items:
- We will add a terminology section.
- We will add an inter-AAA domain handover use case in which there is
no roaming relationship between visited and home AAA domains, e.g., a
handover from a residential Wi-Fi network to a WiMAX network.
- We will revise the specific sentenses you pointed out.
- We will add missing references you pointed out.
- In Figure 1, the "Internet" cloud can be an arbitrary IP network.
We will revise the figure accordingly.
- The term "subnet" has been mainly used to cover intra-technology
handover across media-specific domains such as 802.11r mobility
domains. We can revise the draft to use the term "media-specific
domains" with an appropriate definition in a new terminology section.
- We will shorten the content of Appendix A and move it to the main
body of the draft.
- We will fix all editorial comments.
Best Regards,
Yoshihiro Ohba
On Sat, Apr 05, 2008 at 08:13:23PM -0400, Charles Clancy wrote:
> WGLC Comments for draft-ietf-hokey-preauth-ps-02:
>
> Overall
> -------
>
> A terminology section is needed. The document uses a lot of terminology
> without defining it or citing documents in which it has already been
> defined.
>
> This document discusses cases where we wish to pre-authenticate from one
> authenticator to another, but it's not clear whether these
> authenticators have to be served by the same AAA server or AAA domain.
> I think one of the major benefits of pre-authentication is the ability
> to pre-authenticate to a remote AAA domain that does not have a roaming
> relationship with your current AAA domain. This would allow a mobile
> node with multiple credential sets (with multiple AAA servers/domains)
> to roam between networks that don't have a roaming relationship. For
> example, this might allow you to roam from your home WiFi network to an
> operator's WiMAX network. I think more discussion should be in the
> document to distinguish between and clarify these cases.
>
> Section 1:
> ----------
>
> This should be moved to the end of the document.
>
> Section 2:
> ----------
>
> "When a mobile during an ...": some terminology is needed, particularly
> define "mobile", or preferably refer to it using EAP terminology, i.e.
> the "peer".
>
> s/may change its subnet/may change the subnet/
>
> s/support an interactive/support interactive,/
>
> authentication procedure and authorization procedure are poorly defined
>
> s/affects the ongoing/affects ongoing/
>
> s/where an AAA/where a AAA/
>
> Reword sentence: "Depending upon the
> type of architecture, in some cases the AAA signals traverse all the
> way to the AAA server in the home domain of the mobile as well before
> the network service is granted to the mobile in the new network."
>
> s/such as VoIP is very/such as VoIP are/
>
> Section 3:
> ----------
>
> s/setting up of L2/setting up L2/
>
> s/AP (Access Point)/Access Point (AP)/
>
> Reword sentence: "Following a successful authentication, a secure
> association protocol
> named four-way handshake with the wireless station derives a new set
> of the session keys for use in data communications."
>
> s/Unless PMK (Pairwise Master Key)/Unless the Pairwise Master Key (PMK)/
>
> Need reference for: "This is
> larger than the average coverage overlap of a wireless LAN (WLAN)."
>
> s/organizations. But these/organizations, but these/
>
> Add references for 11f and 11i
>
> Reword sentence: "Especially, a solution is needed to
> enable EAP pre-authentication in IEEE 802.11 to work even if the
> station and AP are not members of the same VLAN."
>
> s/of high bandwidth wireless/of high-bandwidth, wireless/
>
> s/802.11a\/b\/g/802.11/
>
> s/hotspot like coverages/hotspot-like coverage/
>
> s/relatively lower bandwidth/relatively low bandwidth/
>
> s/handover keying or EAP/handover keying, or EAP/
>
> s/contact in the new/context to the new/
>
> s/because of domino effect/because of the domino effect/
>
> s/a compromise of/the compromise of/g
>
> s/I-D.ietf-hokey-reauth-ps/RFC5169/
>
> Recommend not using term "subnet" as it's not defined in the EAP
> context. EAP is typically an L2 protocol, which has no notion of subnets.
>
> s/Note that EAP pre-/Note that the EAP pre-/
>
> s/by each link-layer/by each link layer/
>
> s/developed at IETF/developed by the IETF/
>
> s/ongoing data communications are/ongoing data communication is/
>
> Figure 1: Why is "Internet" in the middle? Can't it be an arbitrary L3
> network?
>
> s/functionality of EAP authenticator/functionality of an EAP authenticator/
>
> s/is either standalone/is either a standalone/
>
> s/functionality of EAP server/functionality of an EAP server/
>
> s/On the other hand, when/When/
>
> s/with EAP server/with the EAP server/
>
> Add references for RADIUS and Diameter
>
> s/uses an MSK (Master Session Key)/uses a Master Session Key (MSK)/
>
> Section 4:
> ----------
>
> s/two scenarios on how/two scenarios for how/
>
> s/a serving authenticator/serving authenticator
> s/a candidate authenticator/candidate authenticator
> s/a AAA server/AAA server/
>
> s/for both pre-authentication scenarios/for either pre-authentication
> scenario/
>
> Section 4.2:
> ------------
>
> Reword sentence: "Indirect pre-authentication signaling is spliced into
> mobile node to
> serving authenticator signaling (MN-SA signaling) and serving
> authenticator to candidate authenticator signaling (SA-CA signaling)."
>
> Section 5
> ---------
>
> s/pre-authentication, i.e., authenticator/preauthentication: authenticator/
>
> Section 5.1
> -----------
>
> s/IP address and a mechanism/IP address, and a mechanism/
>
> Section 6
> -----------
>
> s/AAA documentations/AAA documents/
>
> s/This means, when such/This means that when/
>
> s/support pre-authentication function,/support pre-authentication,/
>
> s/life time/lifetime/g
>
> s/pre- authenticated/pre-authenticated/
>
> s/or the NAS, when/or the NAS when/
>
> "mobile entity"? Be consistent with terminology.
>
> s/ping pongs/cycles/
>
> s/common for the network operators/common for network operators/
>
> s/maintain the control/maintain control/
>
> s/in an anticipation for/in anticipation of/
>
> Section 7:
> ----------
>
> s/any solution for this problem needs considerations on/any solution
> needs to consider/
>
> Sentence fragment, revise: " First, a possible resource consumption
> denial of service attack where
> an attacker that is not on the same IP link as the mobile node or the
> candidate authenticator may send unprotected pre-authentication
> messages to the mobile node or the candidate authenticator to let the
> legitimate mobile node and candidate authenticator spend their
> computational and bandwidth resources."
>
> s/noted that, when/noted that when/
>
> Appendix A:
> -----------
>
> I think this should be significantly shortened, citing references, and
> included in the body of the document.
>
> --
> t. charles clancy, ph.d. eng.umd.edu/~tcc
> electrical & computer engineering, university of maryland
> _______________________________________________
> HOKEY mailing list
> HOKEY at ietf.org
> https://www.ietf.org/mailman/listinfo/hokey
>
_______________________________________________
HOKEY mailing list
HOKEY at ietf.org
https://www.ietf.org/mailman/listinfo/hokey